WordPress Plugin Vulnerabilities

Ultimate Addons for Elementor < 1.20.1 - Authentication Bypass

Description

A vulnerability affecting the Ultimate Addons for Elementor WordPress plugin allows malicious users to authenticate as any other user due to the lack of checks when logging in via Facebook or Google.

Affects Plugins

Plugin icon
ultimate-elementor
Fixed in 1.20.1

References

URL
https://www.malcare.com/blog/critical-vulnerability-ultimate-addons-wpastra-elementor-beaver-builder/
URL
https://www.webarxsecurity.com/critical-vulnerability-in-ultimate-add-ons-elementor/

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287
CVSS
10.0 (critical)

Miscellaneous

Original Researcher
MalCare
Verified
No
WPVDB ID
e17430d9-f70f-40de-ad37-53810a96b2fc

Timeline

Publicly Published
2019-12-12 (about 6 years ago)
Added
2019-12-12 (about 6 years ago)
Last Updated
2021-04-14 (about 5 years ago)

Other

Published
Title
Published
2021-10-11
Title
Pie Register < 3.1.7.6 - Unauthenticated Arbitrary Login
Published
2024-10-25
Title
Meetup <= 0.1 - Authentication Bypass
Published
2025-08-22
Title
Bravis User <= 1.0.0 - Authentication Bypass to Account Takeover
Published
2023-05-15
Title
RegistrationMagic < 5.2.1.1 - Unauthenticated Authentication Bypass
Published
2025-02-28
Title
Academist Membership < 1.2 - Authentication Bypass